Rule History

SID: 10002808 • Source: ptrules/open

Versions (6)

Version DetailsCurrent

Rev: 3 • Jul 24, 2025, 5:44 PM

Message:

ATTACK [PTsecurity] Drupalgeddon2 <8.3.9 <8.4.6 <8.5.1 RCE through registration form (CVE-2018-7600)

Rule:

alert http any any -> any any (msg:"ATTACK [PTsecurity] Drupalgeddon2 <8.3.9 <8.4.6 <8.5.1 RCE through registration form (CVE-2018-7600)"; flow:established, to_server; content:"/user/register"; http_uri; content:"POST"; http_method; content:"drupal"; http_client_body; pcre:"/(%23|#)(access(?:_|%5f)callback|pre(?:_|%5f)render|post(?:_|%5f)render|lazy(?:_|%5f)builder)/Pi"; reference:cve, 2018-7600; reference:url, research.checkpoint.com/uncovering-drupalgeddon-2; reference:url, rules.ptsecurity.com; classtype:attempted-admin; sid:10002808; rev:3;)

Created:

Jul 24, 2025, 5:44 PM

Updated:

Jul 24, 2025, 5:44 PM

DB Created:

Oct 16, 2025, 10:34 AM

DB Updated:

Oct 16, 2025, 10:34 AM

Filename:

rules/ptopen-attacks.rules